provide reproducible binary build

kariy · kariy · commit 85182a1678ab · 2026-01-01T20:55:32.000+08:00
diff --git a/.cargo/config.toml b/.cargo/config.toml
diff --git a/.github/workflows/release-tee.yml b/.github/workflows/release-tee.yml
@@ -0,0 +1,124 @@
+name: release-tee
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g., v1.7.0). If empty, uses version from Cargo.toml"
+        type: string
+        required: false
+
+env:
+  CARGO_TERM_COLOR: always
+
+permissions:
+  id-token: write      # OIDC token for Sigstore signing
+  attestations: write  # Persist attestations
+  contents: write      # Release artifact upload
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      tag_name: ${{ steps.release_info.outputs.tag_name }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get version
+        id: release_info
+        run: |
+          if [[ -n "${{ github.event.inputs.tag }}" ]]; then
+            echo "tag_name=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
+          else
+            cargo install cargo-get
+            echo "tag_name=v$(cargo get workspace.package.version)" >> $GITHUB_OUTPUT
+          fi
+
+  build-contracts:
+    runs-on: ubuntu-latest
+    needs: prepare
+    container:
+      image: ghcr.io/dojoengine/katana-dev:latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build contracts
+        run: make contracts
+      - name: Upload contract artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: contract-artifacts
+          path: ./crates/contracts/build
+          retention-days: 1
+
+  reproducible-build:
+    name: Reproducible TEE Build
+    needs: [prepare, build-contracts]
+    runs-on: ubuntu-latest-8-cores
+    outputs:
+      binary-hash: ${{ steps.hash.outputs.sha384 }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download contract artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: contract-artifacts
+          path: ./crates/contracts/build
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build reproducible binary
+        run: |
+          docker build \
+            -f reproducible.Dockerfile \
+            -t katana-reproducible:${{ needs.prepare.outputs.tag_name }} \
+            --no-cache \
+            .
+
+      - name: Extract binary from container
+        run: |
+          docker create --name katana-extract katana-reproducible:${{ needs.prepare.outputs.tag_name }}
+          docker cp katana-extract:/katana ./katana-reproducible
+          docker rm katana-extract
+
+      - name: Calculate binary hash
+        id: hash
+        run: |
+          SHA384=$(sha384sum ./katana-reproducible | cut -d ' ' -f 1)
+          echo "sha384=${SHA384}" >> $GITHUB_OUTPUT
+          echo "Binary SHA-384: ${SHA384}"
+
+      - name: Archive reproducible binary
+        env:
+          VERSION_NAME: ${{ needs.prepare.outputs.tag_name }}
+        run: |
+          tar -czvf "katana_${VERSION_NAME}_linux_amd64_tee.tar.gz" katana-reproducible
+          sha384sum katana-reproducible > "katana_${VERSION_NAME}_linux_amd64_tee.sha384"
+
+      - name: Generate build provenance attestation
+        id: attest
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ./katana-reproducible
+
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: tee-release-artifacts
+          path: |
+            katana_${{ needs.prepare.outputs.tag_name }}_linux_amd64_tee.tar.gz
+            katana_${{ needs.prepare.outputs.tag_name }}_linux_amd64_tee.sha384
+
+      - name: Summary
+        run: |
+          echo "## TEE Reproducible Build Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Version:** ${{ needs.prepare.outputs.tag_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "**SHA-384:** \`${{ steps.hash.outputs.sha384 }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Verify Attestation" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "gh attestation verify ./katana-reproducible --repo ${{ github.repository }}" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/crates/tee/README.md b/crates/tee/README.md
@@ -58,6 +58,37 @@ The quote contains:
 - Quote generation requires hardware access; quote generation will return errors on unsupported platforms
 - The 64-byte report data is a Poseidon hash of `H_poseidon(state_root, block_hash)`, padded with zeros
 
+## Reproducible Builds
+
+For TEE deployments, verifiable builds are essential. The release pipeline produces a reproducible TEE binary with signed attestation.
+
+### Verify Build Attestation
+
+```bash
+# Download artifacts from workflow run
+gh run download <run-id> --name tee-release-artifacts --repo dojoengine/katana
+tar -xzf katana_v1.7.0_linux_amd64_tee.tar.gz
+gh attestation verify ./katana-reproducible --repo dojoengine/katana
+```
+
+### Reproduce Locally
+
+```bash
+git clone https://github.com/dojoengine/katana.git && cd katana
+git checkout v1.7.0
+docker build -f reproducible.Dockerfile -t katana-verify .
+docker create --name verify katana-verify
+docker cp verify:/katana ./katana-local && docker rm verify
+sha384sum ./katana-local  # Should match published hash
+```
+
+### Build Details
+
+- **Base**: `rust:1.86.0-slim-bookworm` (pinned by digest)
+- **Target**: `x86_64-unknown-linux-musl` (static linking)
+- **Profile**: `performance` (fat LTO, single codegen unit)
+- **SOURCE_DATE_EPOCH**: `1735689600` (2025-01-01 00:00:00 UTC)
+
 ## References
 
 ### AMD SEV-SNP
diff --git a/reproducible.Dockerfile b/reproducible.Dockerfile
@@ -0,0 +1,44 @@
+# Reproducible build Dockerfile for Katana TEE
+#
+# Produces bit-for-bit identical builds across different machines.
+#
+# Usage:
+#   docker build -f reproducible.Dockerfile -t katana-reproducible .
+#   docker create --name extract katana-reproducible
+#   docker cp extract:/katana ./katana-reproducible
+#   docker rm extract
+
+# Pin Rust image by digest (rust:1.86.0-slim-bookworm for amd64)
+FROM rust@sha256:a044f7ab9a762f95be2ee7eb2c49e4d4a4ec60011210de9f7da01d552cae3a55 AS builder
+
+# Install musl toolchain for static linking
+RUN apt-get update && apt-get install -y --no-install-recommends \
+	musl-tools \
+	musl-dev \
+	&& rm -rf /var/lib/apt/lists/*
+
+RUN rustup target add x86_64-unknown-linux-musl
+
+WORKDIR /build
+
+# Reproducibility environment variables
+ENV SOURCE_DATE_EPOCH=1735689600 \
+	RUSTFLAGS="--remap-path-prefix=/build=/build --remap-path-prefix=/root/.cargo=/cargo -C target-feature=+crt-static" \
+	CARGO_HOME=/cargo \
+	LANG=C.UTF-8
+
+# Copy source (respects .dockerignore)
+COPY . .
+
+# Build static binary
+RUN cargo build \
+	--locked \
+	--target x86_64-unknown-linux-musl \
+	--bin katana \
+	--profile performance
+
+RUN cp /build/target/x86_64-unknown-linux-musl/performance/katana /katana
+
+# Minimal final stage
+FROM scratch AS final
+COPY --from=builder /katana /katana
